Home | History | Annotate | Download | only in wpa_supplicant
      1 /*
      2  * wpa_supplicant - SME
      3  * Copyright (c) 2009-2012, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "utils/eloop.h"
     13 #include "common/ieee802_11_defs.h"
     14 #include "common/ieee802_11_common.h"
     15 #include "eapol_supp/eapol_supp_sm.h"
     16 #include "common/wpa_common.h"
     17 #include "common/sae.h"
     18 #include "rsn_supp/wpa.h"
     19 #include "rsn_supp/pmksa_cache.h"
     20 #include "config.h"
     21 #include "wpa_supplicant_i.h"
     22 #include "driver_i.h"
     23 #include "wpas_glue.h"
     24 #include "wps_supplicant.h"
     25 #include "p2p_supplicant.h"
     26 #include "notify.h"
     27 #include "bss.h"
     28 #include "scan.h"
     29 #include "sme.h"
     30 #include "hs20_supplicant.h"
     31 
     32 #define SME_AUTH_TIMEOUT 5
     33 #define SME_ASSOC_TIMEOUT 5
     34 
     35 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx);
     36 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx);
     37 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx);
     38 #ifdef CONFIG_IEEE80211W
     39 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s);
     40 #endif /* CONFIG_IEEE80211W */
     41 
     42 
     43 #ifdef CONFIG_SAE
     44 
     45 static int index_within_array(const int *array, int idx)
     46 {
     47 	int i;
     48 	for (i = 0; i < idx; i++) {
     49 		if (array[i] == -1)
     50 			return 0;
     51 	}
     52 	return 1;
     53 }
     54 
     55 
     56 static int sme_set_sae_group(struct wpa_supplicant *wpa_s)
     57 {
     58 	int *groups = wpa_s->conf->sae_groups;
     59 	int default_groups[] = { 19, 20, 21, 25, 26 };
     60 
     61 	if (!groups)
     62 		groups = default_groups;
     63 
     64 	/* Configuration may have changed, so validate current index */
     65 	if (!index_within_array(groups, wpa_s->sme.sae_group_index))
     66 		return -1;
     67 
     68 	for (;;) {
     69 		int group = groups[wpa_s->sme.sae_group_index];
     70 		if (group < 0)
     71 			break;
     72 		if (sae_set_group(&wpa_s->sme.sae, group) == 0) {
     73 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d",
     74 				wpa_s->sme.sae.group);
     75 		       return 0;
     76 		}
     77 		wpa_s->sme.sae_group_index++;
     78 	}
     79 
     80 	return -1;
     81 }
     82 
     83 
     84 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
     85 						 struct wpa_ssid *ssid,
     86 						 const u8 *bssid)
     87 {
     88 	struct wpabuf *buf;
     89 	size_t len;
     90 
     91 	if (ssid->passphrase == NULL) {
     92 		wpa_printf(MSG_DEBUG, "SAE: No password available");
     93 		return NULL;
     94 	}
     95 
     96 	if (sme_set_sae_group(wpa_s) < 0) {
     97 		wpa_printf(MSG_DEBUG, "SAE: Failed to select group");
     98 		return NULL;
     99 	}
    100 
    101 	if (sae_prepare_commit(wpa_s->own_addr, bssid,
    102 			       (u8 *) ssid->passphrase,
    103 			       os_strlen(ssid->passphrase),
    104 			       &wpa_s->sme.sae) < 0) {
    105 		wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
    106 		return NULL;
    107 	}
    108 
    109 	len = wpa_s->sme.sae_token ? wpabuf_len(wpa_s->sme.sae_token) : 0;
    110 	buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len);
    111 	if (buf == NULL)
    112 		return NULL;
    113 
    114 	wpabuf_put_le16(buf, 1); /* Transaction seq# */
    115 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
    116 	sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token);
    117 
    118 	return buf;
    119 }
    120 
    121 
    122 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s)
    123 {
    124 	struct wpabuf *buf;
    125 
    126 	buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN);
    127 	if (buf == NULL)
    128 		return NULL;
    129 
    130 	wpabuf_put_le16(buf, 2); /* Transaction seq# */
    131 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
    132 	sae_write_confirm(&wpa_s->sme.sae, buf);
    133 
    134 	return buf;
    135 }
    136 
    137 #endif /* CONFIG_SAE */
    138 
    139 
    140 static void sme_send_authentication(struct wpa_supplicant *wpa_s,
    141 				    struct wpa_bss *bss, struct wpa_ssid *ssid,
    142 				    int start)
    143 {
    144 	struct wpa_driver_auth_params params;
    145 	struct wpa_ssid *old_ssid;
    146 #ifdef CONFIG_IEEE80211R
    147 	const u8 *ie;
    148 #endif /* CONFIG_IEEE80211R */
    149 #ifdef CONFIG_IEEE80211R
    150 	const u8 *md = NULL;
    151 #endif /* CONFIG_IEEE80211R */
    152 	int i, bssid_changed;
    153 	struct wpabuf *resp = NULL;
    154 	u8 ext_capab[10];
    155 	int ext_capab_len;
    156 
    157 	if (bss == NULL) {
    158 		wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for "
    159 			"the network");
    160 		return;
    161 	}
    162 
    163 	wpa_s->current_bss = bss;
    164 
    165 	os_memset(&params, 0, sizeof(params));
    166 	wpa_s->reassociate = 0;
    167 
    168 	params.freq = bss->freq;
    169 	params.bssid = bss->bssid;
    170 	params.ssid = bss->ssid;
    171 	params.ssid_len = bss->ssid_len;
    172 	params.p2p = ssid->p2p_group;
    173 
    174 	if (wpa_s->sme.ssid_len != params.ssid_len ||
    175 	    os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0)
    176 		wpa_s->sme.prev_bssid_set = 0;
    177 
    178 	wpa_s->sme.freq = params.freq;
    179 	os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len);
    180 	wpa_s->sme.ssid_len = params.ssid_len;
    181 
    182 	params.auth_alg = WPA_AUTH_ALG_OPEN;
    183 #ifdef IEEE8021X_EAPOL
    184 	if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) {
    185 		if (ssid->leap) {
    186 			if (ssid->non_leap == 0)
    187 				params.auth_alg = WPA_AUTH_ALG_LEAP;
    188 			else
    189 				params.auth_alg |= WPA_AUTH_ALG_LEAP;
    190 		}
    191 	}
    192 #endif /* IEEE8021X_EAPOL */
    193 	wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x",
    194 		params.auth_alg);
    195 	if (ssid->auth_alg) {
    196 		params.auth_alg = ssid->auth_alg;
    197 		wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: "
    198 			"0x%x", params.auth_alg);
    199 	}
    200 #ifdef CONFIG_SAE
    201 	if (wpa_key_mgmt_sae(ssid->key_mgmt)) {
    202 		const u8 *rsn;
    203 		struct wpa_ie_data ied;
    204 
    205 		rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
    206 		if (rsn &&
    207 		    wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0) {
    208 			if (wpa_key_mgmt_sae(ied.key_mgmt)) {
    209 				wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg");
    210 				params.auth_alg = WPA_AUTH_ALG_SAE;
    211 			}
    212 		}
    213 	}
    214 #endif /* CONFIG_SAE */
    215 
    216 	for (i = 0; i < NUM_WEP_KEYS; i++) {
    217 		if (ssid->wep_key_len[i])
    218 			params.wep_key[i] = ssid->wep_key[i];
    219 		params.wep_key_len[i] = ssid->wep_key_len[i];
    220 	}
    221 	params.wep_tx_keyidx = ssid->wep_tx_keyidx;
    222 
    223 	bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
    224 	os_memset(wpa_s->bssid, 0, ETH_ALEN);
    225 	os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN);
    226 	if (bssid_changed)
    227 		wpas_notify_bssid_changed(wpa_s);
    228 
    229 	if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) ||
    230 	     wpa_bss_get_ie(bss, WLAN_EID_RSN)) &&
    231 	    wpa_key_mgmt_wpa(ssid->key_mgmt)) {
    232 		int try_opportunistic;
    233 		try_opportunistic = (ssid->proactive_key_caching < 0 ?
    234 				     wpa_s->conf->okc :
    235 				     ssid->proactive_key_caching) &&
    236 			(ssid->proto & WPA_PROTO_RSN);
    237 		if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
    238 					    wpa_s->current_ssid,
    239 					    try_opportunistic) == 0)
    240 			eapol_sm_notify_pmkid_attempt(wpa_s->eapol, 1);
    241 		wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
    242 		if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
    243 					      wpa_s->sme.assoc_req_ie,
    244 					      &wpa_s->sme.assoc_req_ie_len)) {
    245 			wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
    246 				"key management and encryption suites");
    247 			return;
    248 		}
    249 	} else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) &&
    250 		   wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) {
    251 		/*
    252 		 * Both WPA and non-WPA IEEE 802.1X enabled in configuration -
    253 		 * use non-WPA since the scan results did not indicate that the
    254 		 * AP is using WPA or WPA2.
    255 		 */
    256 		wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
    257 		wpa_s->sme.assoc_req_ie_len = 0;
    258 	} else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) {
    259 		wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
    260 		if (wpa_supplicant_set_suites(wpa_s, NULL, ssid,
    261 					      wpa_s->sme.assoc_req_ie,
    262 					      &wpa_s->sme.assoc_req_ie_len)) {
    263 			wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
    264 				"key management and encryption suites (no "
    265 				"scan results)");
    266 			return;
    267 		}
    268 #ifdef CONFIG_WPS
    269 	} else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) {
    270 		struct wpabuf *wps_ie;
    271 		wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid));
    272 		if (wps_ie && wpabuf_len(wps_ie) <=
    273 		    sizeof(wpa_s->sme.assoc_req_ie)) {
    274 			wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie);
    275 			os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie),
    276 				  wpa_s->sme.assoc_req_ie_len);
    277 		} else
    278 			wpa_s->sme.assoc_req_ie_len = 0;
    279 		wpabuf_free(wps_ie);
    280 		wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
    281 #endif /* CONFIG_WPS */
    282 	} else {
    283 		wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
    284 		wpa_s->sme.assoc_req_ie_len = 0;
    285 	}
    286 
    287 #ifdef CONFIG_IEEE80211R
    288 	ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN);
    289 	if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN)
    290 		md = ie + 2;
    291 	wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0);
    292 	if (md) {
    293 		/* Prepare for the next transition */
    294 		wpa_ft_prepare_auth_request(wpa_s->wpa, ie);
    295 	}
    296 
    297 	if (md && wpa_key_mgmt_ft(ssid->key_mgmt)) {
    298 		if (wpa_s->sme.assoc_req_ie_len + 5 <
    299 		    sizeof(wpa_s->sme.assoc_req_ie)) {
    300 			struct rsn_mdie *mdie;
    301 			u8 *pos = wpa_s->sme.assoc_req_ie +
    302 				wpa_s->sme.assoc_req_ie_len;
    303 			*pos++ = WLAN_EID_MOBILITY_DOMAIN;
    304 			*pos++ = sizeof(*mdie);
    305 			mdie = (struct rsn_mdie *) pos;
    306 			os_memcpy(mdie->mobility_domain, md,
    307 				  MOBILITY_DOMAIN_ID_LEN);
    308 			mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN];
    309 			wpa_s->sme.assoc_req_ie_len += 5;
    310 		}
    311 
    312 		if (wpa_s->sme.ft_used &&
    313 		    os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 &&
    314 		    wpa_sm_has_ptk(wpa_s->wpa)) {
    315 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT "
    316 				"over-the-air");
    317 			params.auth_alg = WPA_AUTH_ALG_FT;
    318 			params.ie = wpa_s->sme.ft_ies;
    319 			params.ie_len = wpa_s->sme.ft_ies_len;
    320 		}
    321 	}
    322 #endif /* CONFIG_IEEE80211R */
    323 
    324 #ifdef CONFIG_IEEE80211W
    325 	wpa_s->sme.mfp = ssid->ieee80211w == MGMT_FRAME_PROTECTION_DEFAULT ?
    326 		wpa_s->conf->pmf : ssid->ieee80211w;
    327 	if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) {
    328 		const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
    329 		struct wpa_ie_data _ie;
    330 		if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 &&
    331 		    _ie.capabilities &
    332 		    (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) {
    333 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports "
    334 				"MFP: require MFP");
    335 			wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED;
    336 		}
    337 	}
    338 #endif /* CONFIG_IEEE80211W */
    339 
    340 #ifdef CONFIG_P2P
    341 	if (wpa_s->global->p2p) {
    342 		u8 *pos;
    343 		size_t len;
    344 		int res;
    345 		pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len;
    346 		len = sizeof(wpa_s->sme.assoc_req_ie) -
    347 			wpa_s->sme.assoc_req_ie_len;
    348 		res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len,
    349 					    ssid->p2p_group);
    350 		if (res >= 0)
    351 			wpa_s->sme.assoc_req_ie_len += res;
    352 	}
    353 #endif /* CONFIG_P2P */
    354 
    355 #ifdef CONFIG_HS20
    356 	if (wpa_s->conf->hs20) {
    357 		struct wpabuf *hs20;
    358 		hs20 = wpabuf_alloc(20);
    359 		if (hs20) {
    360 			wpas_hs20_add_indication(hs20);
    361 			os_memcpy(wpa_s->sme.assoc_req_ie +
    362 				  wpa_s->sme.assoc_req_ie_len,
    363 				  wpabuf_head(hs20), wpabuf_len(hs20));
    364 			wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20);
    365 			wpabuf_free(hs20);
    366 		}
    367 	}
    368 #endif /* CONFIG_HS20 */
    369 
    370 	ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab);
    371 	if (ext_capab_len > 0) {
    372 		u8 *pos = wpa_s->sme.assoc_req_ie;
    373 		if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN)
    374 			pos += 2 + pos[1];
    375 		os_memmove(pos + ext_capab_len, pos,
    376 			   wpa_s->sme.assoc_req_ie_len -
    377 			   (pos - wpa_s->sme.assoc_req_ie));
    378 		wpa_s->sme.assoc_req_ie_len += ext_capab_len;
    379 		os_memcpy(pos, ext_capab, ext_capab_len);
    380 	}
    381 
    382 #ifdef CONFIG_SAE
    383 	if (params.auth_alg == WPA_AUTH_ALG_SAE) {
    384 		if (start)
    385 			resp = sme_auth_build_sae_commit(wpa_s, ssid,
    386 							 bss->bssid);
    387 		else
    388 			resp = sme_auth_build_sae_confirm(wpa_s);
    389 		if (resp == NULL)
    390 			return;
    391 		params.sae_data = wpabuf_head(resp);
    392 		params.sae_data_len = wpabuf_len(resp);
    393 		wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED;
    394 	}
    395 #endif /* CONFIG_SAE */
    396 
    397 	wpa_supplicant_cancel_sched_scan(wpa_s);
    398 	wpa_supplicant_cancel_scan(wpa_s);
    399 
    400 	wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR
    401 		" (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid),
    402 		wpa_ssid_txt(params.ssid, params.ssid_len), params.freq);
    403 
    404 	wpa_clear_keys(wpa_s, bss->bssid);
    405 	wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
    406 	old_ssid = wpa_s->current_ssid;
    407 	wpa_s->current_ssid = ssid;
    408 	wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid);
    409 	wpa_supplicant_initiate_eapol(wpa_s);
    410 	if (old_ssid != wpa_s->current_ssid)
    411 		wpas_notify_network_changed(wpa_s);
    412 
    413 	wpa_s->sme.auth_alg = params.auth_alg;
    414 	if (wpa_drv_authenticate(wpa_s, &params) < 0) {
    415 		wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the "
    416 			"driver failed");
    417 		wpas_connection_failed(wpa_s, bss->bssid);
    418 		wpa_supplicant_mark_disassoc(wpa_s);
    419 		wpabuf_free(resp);
    420 		return;
    421 	}
    422 
    423 	eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s,
    424 			       NULL);
    425 
    426 	/*
    427 	 * Association will be started based on the authentication event from
    428 	 * the driver.
    429 	 */
    430 
    431 	wpabuf_free(resp);
    432 }
    433 
    434 
    435 void sme_authenticate(struct wpa_supplicant *wpa_s,
    436 		      struct wpa_bss *bss, struct wpa_ssid *ssid)
    437 {
    438 #ifdef CONFIG_SAE
    439 	wpa_s->sme.sae.state = SAE_NOTHING;
    440 	wpa_s->sme.sae.send_confirm = 0;
    441 #endif /* CONFIG_SAE */
    442 	sme_send_authentication(wpa_s, bss, ssid, 1);
    443 }
    444 
    445 
    446 #ifdef CONFIG_SAE
    447 
    448 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
    449 			u16 status_code, const u8 *data, size_t len)
    450 {
    451 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u "
    452 		"status code %u", auth_transaction, status_code);
    453 
    454 	if (auth_transaction == 1 &&
    455 	    status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
    456 	    wpa_s->sme.sae.state == SAE_COMMITTED &&
    457 	    wpa_s->current_bss && wpa_s->current_ssid) {
    458 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE anti-clogging token "
    459 			"requested");
    460 		wpabuf_free(wpa_s->sme.sae_token);
    461 		wpa_s->sme.sae_token = wpabuf_alloc_copy(data, len);
    462 		sme_send_authentication(wpa_s, wpa_s->current_bss,
    463 					wpa_s->current_ssid, 1);
    464 		return 0;
    465 	}
    466 
    467 	if (auth_transaction == 1 &&
    468 	    status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
    469 	    wpa_s->sme.sae.state == SAE_COMMITTED &&
    470 	    wpa_s->current_bss && wpa_s->current_ssid) {
    471 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported");
    472 		wpa_s->sme.sae_group_index++;
    473 		if (sme_set_sae_group(wpa_s) < 0)
    474 			return -1; /* no other groups enabled */
    475 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group");
    476 		sme_send_authentication(wpa_s, wpa_s->current_bss,
    477 					wpa_s->current_ssid, 1);
    478 		return 0;
    479 	}
    480 
    481 	if (status_code != WLAN_STATUS_SUCCESS)
    482 		return -1;
    483 
    484 	if (auth_transaction == 1) {
    485 		wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit");
    486 		if (wpa_s->current_bss == NULL ||
    487 		    wpa_s->current_ssid == NULL)
    488 			return -1;
    489 		if (wpa_s->sme.sae.state != SAE_COMMITTED)
    490 			return -1;
    491 		if (sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL,
    492 				     wpa_s->conf->sae_groups) !=
    493 		    WLAN_STATUS_SUCCESS)
    494 			return -1;
    495 
    496 		if (sae_process_commit(&wpa_s->sme.sae) < 0) {
    497 			wpa_printf(MSG_DEBUG, "SAE: Failed to process peer "
    498 				   "commit");
    499 			return -1;
    500 		}
    501 
    502 		wpabuf_free(wpa_s->sme.sae_token);
    503 		wpa_s->sme.sae_token = NULL;
    504 		sme_send_authentication(wpa_s, wpa_s->current_bss,
    505 					wpa_s->current_ssid, 0);
    506 		return 0;
    507 	} else if (auth_transaction == 2) {
    508 		wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm");
    509 		if (wpa_s->sme.sae.state != SAE_CONFIRMED)
    510 			return -1;
    511 		if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0)
    512 			return -1;
    513 		wpa_s->sme.sae.state = SAE_ACCEPTED;
    514 		sae_clear_temp_data(&wpa_s->sme.sae);
    515 		return 1;
    516 	}
    517 
    518 	return -1;
    519 }
    520 #endif /* CONFIG_SAE */
    521 
    522 
    523 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
    524 {
    525 	struct wpa_ssid *ssid = wpa_s->current_ssid;
    526 
    527 	if (ssid == NULL) {
    528 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event "
    529 			"when network is not selected");
    530 		return;
    531 	}
    532 
    533 	if (wpa_s->wpa_state != WPA_AUTHENTICATING) {
    534 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event "
    535 			"when not in authenticating state");
    536 		return;
    537 	}
    538 
    539 	if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) {
    540 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with "
    541 			"unexpected peer " MACSTR,
    542 			MAC2STR(data->auth.peer));
    543 		return;
    544 	}
    545 
    546 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR
    547 		" auth_type=%d auth_transaction=%d status_code=%d",
    548 		MAC2STR(data->auth.peer), data->auth.auth_type,
    549 		data->auth.auth_transaction, data->auth.status_code);
    550 	wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs",
    551 		    data->auth.ies, data->auth.ies_len);
    552 
    553 	eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
    554 
    555 #ifdef CONFIG_SAE
    556 	if (data->auth.auth_type == WLAN_AUTH_SAE) {
    557 		int res;
    558 		res = sme_sae_auth(wpa_s, data->auth.auth_transaction,
    559 				   data->auth.status_code, data->auth.ies,
    560 				   data->auth.ies_len);
    561 		if (res < 0) {
    562 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
    563 			wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
    564 
    565 		}
    566 		if (res != 1)
    567 			return;
    568 
    569 		wpa_printf(MSG_DEBUG, "SME: SAE completed - setting PMK for "
    570 			   "4-way handshake");
    571 		wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN);
    572 	}
    573 #endif /* CONFIG_SAE */
    574 
    575 	if (data->auth.status_code != WLAN_STATUS_SUCCESS) {
    576 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication failed (status "
    577 			"code %d)", data->auth.status_code);
    578 
    579 		if (data->auth.status_code !=
    580 		    WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG ||
    581 		    wpa_s->sme.auth_alg == data->auth.auth_type ||
    582 		    wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) {
    583 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
    584 			wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
    585 			return;
    586 		}
    587 
    588 		switch (data->auth.auth_type) {
    589 		case WLAN_AUTH_OPEN:
    590 			wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED;
    591 
    592 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth");
    593 			wpa_supplicant_associate(wpa_s, wpa_s->current_bss,
    594 						 wpa_s->current_ssid);
    595 			return;
    596 
    597 		case WLAN_AUTH_SHARED_KEY:
    598 			wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP;
    599 
    600 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth");
    601 			wpa_supplicant_associate(wpa_s, wpa_s->current_bss,
    602 						 wpa_s->current_ssid);
    603 			return;
    604 
    605 		default:
    606 			return;
    607 		}
    608 	}
    609 
    610 #ifdef CONFIG_IEEE80211R
    611 	if (data->auth.auth_type == WLAN_AUTH_FT) {
    612 		union wpa_event_data edata;
    613 		os_memset(&edata, 0, sizeof(edata));
    614 		edata.ft_ies.ies = data->auth.ies;
    615 		edata.ft_ies.ies_len = data->auth.ies_len;
    616 		os_memcpy(edata.ft_ies.target_ap, data->auth.peer, ETH_ALEN);
    617 		wpa_supplicant_event(wpa_s, EVENT_FT_RESPONSE, &edata);
    618 	}
    619 #endif /* CONFIG_IEEE80211R */
    620 
    621 	sme_associate(wpa_s, ssid->mode, data->auth.peer,
    622 		      data->auth.auth_type);
    623 }
    624 
    625 
    626 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode,
    627 		   const u8 *bssid, u16 auth_type)
    628 {
    629 	struct wpa_driver_associate_params params;
    630 	struct ieee802_11_elems elems;
    631 #ifdef CONFIG_HT_OVERRIDES
    632 	struct ieee80211_ht_capabilities htcaps;
    633 	struct ieee80211_ht_capabilities htcaps_mask;
    634 #endif /* CONFIG_HT_OVERRIDES */
    635 #ifdef CONFIG_VHT_OVERRIDES
    636 	struct ieee80211_vht_capabilities vhtcaps;
    637 	struct ieee80211_vht_capabilities vhtcaps_mask;
    638 #endif /* CONFIG_VHT_OVERRIDES */
    639 
    640 	os_memset(&params, 0, sizeof(params));
    641 	params.bssid = bssid;
    642 	params.ssid = wpa_s->sme.ssid;
    643 	params.ssid_len = wpa_s->sme.ssid_len;
    644 	params.freq = wpa_s->sme.freq;
    645 	params.bg_scan_period = wpa_s->current_ssid ?
    646 		wpa_s->current_ssid->bg_scan_period : -1;
    647 	params.wpa_ie = wpa_s->sme.assoc_req_ie_len ?
    648 		wpa_s->sme.assoc_req_ie : NULL;
    649 	params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
    650 	params.pairwise_suite =
    651 		wpa_cipher_to_suite_driver(wpa_s->pairwise_cipher);
    652 	params.group_suite = wpa_cipher_to_suite_driver(wpa_s->group_cipher);
    653 #ifdef CONFIG_HT_OVERRIDES
    654 	os_memset(&htcaps, 0, sizeof(htcaps));
    655 	os_memset(&htcaps_mask, 0, sizeof(htcaps_mask));
    656 	params.htcaps = (u8 *) &htcaps;
    657 	params.htcaps_mask = (u8 *) &htcaps_mask;
    658 	wpa_supplicant_apply_ht_overrides(wpa_s, wpa_s->current_ssid, &params);
    659 #endif /* CONFIG_HT_OVERRIDES */
    660 #ifdef CONFIG_VHT_OVERRIDES
    661 	os_memset(&vhtcaps, 0, sizeof(vhtcaps));
    662 	os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask));
    663 	params.vhtcaps = &vhtcaps;
    664 	params.vhtcaps_mask = &vhtcaps_mask;
    665 	wpa_supplicant_apply_vht_overrides(wpa_s, wpa_s->current_ssid, &params);
    666 #endif /* CONFIG_VHT_OVERRIDES */
    667 #ifdef CONFIG_IEEE80211R
    668 	if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) {
    669 		params.wpa_ie = wpa_s->sme.ft_ies;
    670 		params.wpa_ie_len = wpa_s->sme.ft_ies_len;
    671 	}
    672 #endif /* CONFIG_IEEE80211R */
    673 	params.mode = mode;
    674 	params.mgmt_frame_protection = wpa_s->sme.mfp;
    675 	if (wpa_s->sme.prev_bssid_set)
    676 		params.prev_bssid = wpa_s->sme.prev_bssid;
    677 
    678 	wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR
    679 		" (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid),
    680 		params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "",
    681 		params.freq);
    682 
    683 	wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING);
    684 
    685 	if (params.wpa_ie == NULL ||
    686 	    ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0)
    687 	    < 0) {
    688 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!");
    689 		os_memset(&elems, 0, sizeof(elems));
    690 	}
    691 	if (elems.rsn_ie) {
    692 		params.wpa_proto = WPA_PROTO_RSN;
    693 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2,
    694 					elems.rsn_ie_len + 2);
    695 	} else if (elems.wpa_ie) {
    696 		params.wpa_proto = WPA_PROTO_WPA;
    697 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2,
    698 					elems.wpa_ie_len + 2);
    699 	} else
    700 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0);
    701 	if (wpa_s->current_ssid && wpa_s->current_ssid->p2p_group)
    702 		params.p2p = 1;
    703 
    704 	if (wpa_s->parent->set_sta_uapsd)
    705 		params.uapsd = wpa_s->parent->sta_uapsd;
    706 	else
    707 		params.uapsd = -1;
    708 
    709 	if (wpa_drv_associate(wpa_s, &params) < 0) {
    710 		wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the "
    711 			"driver failed");
    712 		wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
    713 		wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
    714 		os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
    715 		return;
    716 	}
    717 
    718 	eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s,
    719 			       NULL);
    720 }
    721 
    722 
    723 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md,
    724 		      const u8 *ies, size_t ies_len)
    725 {
    726 	if (md == NULL || ies == NULL) {
    727 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain");
    728 		os_free(wpa_s->sme.ft_ies);
    729 		wpa_s->sme.ft_ies = NULL;
    730 		wpa_s->sme.ft_ies_len = 0;
    731 		wpa_s->sme.ft_used = 0;
    732 		return 0;
    733 	}
    734 
    735 	os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
    736 	wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len);
    737 	os_free(wpa_s->sme.ft_ies);
    738 	wpa_s->sme.ft_ies = os_malloc(ies_len);
    739 	if (wpa_s->sme.ft_ies == NULL)
    740 		return -1;
    741 	os_memcpy(wpa_s->sme.ft_ies, ies, ies_len);
    742 	wpa_s->sme.ft_ies_len = ies_len;
    743 	return 0;
    744 }
    745 
    746 
    747 static void sme_deauth(struct wpa_supplicant *wpa_s)
    748 {
    749 	int bssid_changed;
    750 
    751 	bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
    752 
    753 	if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid,
    754 				   WLAN_REASON_DEAUTH_LEAVING) < 0) {
    755 		wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver "
    756 			"failed");
    757 	}
    758 	wpa_s->sme.prev_bssid_set = 0;
    759 
    760 	wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
    761 	wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
    762 	os_memset(wpa_s->bssid, 0, ETH_ALEN);
    763 	os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
    764 	if (bssid_changed)
    765 		wpas_notify_bssid_changed(wpa_s);
    766 }
    767 
    768 
    769 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s,
    770 			    union wpa_event_data *data)
    771 {
    772 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: "
    773 		"status code %d", MAC2STR(wpa_s->pending_bssid),
    774 		data->assoc_reject.status_code);
    775 
    776 	eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
    777 
    778 	/*
    779 	 * For now, unconditionally terminate the previous authentication. In
    780 	 * theory, this should not be needed, but mac80211 gets quite confused
    781 	 * if the authentication is left pending.. Some roaming cases might
    782 	 * benefit from using the previous authentication, so this could be
    783 	 * optimized in the future.
    784 	 */
    785 	sme_deauth(wpa_s);
    786 }
    787 
    788 
    789 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s,
    790 			      union wpa_event_data *data)
    791 {
    792 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out");
    793 	wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
    794 	wpa_supplicant_mark_disassoc(wpa_s);
    795 }
    796 
    797 
    798 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s,
    799 			       union wpa_event_data *data)
    800 {
    801 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out");
    802 	wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
    803 	wpa_supplicant_mark_disassoc(wpa_s);
    804 }
    805 
    806 
    807 void sme_event_disassoc(struct wpa_supplicant *wpa_s,
    808 			union wpa_event_data *data)
    809 {
    810 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received");
    811 	if (wpa_s->sme.prev_bssid_set) {
    812 		/*
    813 		 * cfg80211/mac80211 can get into somewhat confused state if
    814 		 * the AP only disassociates us and leaves us in authenticated
    815 		 * state. For now, force the state to be cleared to avoid
    816 		 * confusing errors if we try to associate with the AP again.
    817 		 */
    818 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear "
    819 			"driver state");
    820 		wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid,
    821 				       WLAN_REASON_DEAUTH_LEAVING);
    822 	}
    823 }
    824 
    825 
    826 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx)
    827 {
    828 	struct wpa_supplicant *wpa_s = eloop_ctx;
    829 	if (wpa_s->wpa_state == WPA_AUTHENTICATING) {
    830 		wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout");
    831 		sme_deauth(wpa_s);
    832 	}
    833 }
    834 
    835 
    836 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx)
    837 {
    838 	struct wpa_supplicant *wpa_s = eloop_ctx;
    839 	if (wpa_s->wpa_state == WPA_ASSOCIATING) {
    840 		wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout");
    841 		sme_deauth(wpa_s);
    842 	}
    843 }
    844 
    845 
    846 void sme_state_changed(struct wpa_supplicant *wpa_s)
    847 {
    848 	/* Make sure timers are cleaned up appropriately. */
    849 	if (wpa_s->wpa_state != WPA_ASSOCIATING)
    850 		eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
    851 	if (wpa_s->wpa_state != WPA_AUTHENTICATING)
    852 		eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
    853 }
    854 
    855 
    856 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s,
    857 				       const u8 *prev_pending_bssid)
    858 {
    859 	/*
    860 	 * mac80211-workaround to force deauth on failed auth cmd,
    861 	 * requires us to remain in authenticating state to allow the
    862 	 * second authentication attempt to be continued properly.
    863 	 */
    864 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication "
    865 		"to proceed after disconnection event");
    866 	wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
    867 	os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN);
    868 
    869 	/*
    870 	 * Re-arm authentication timer in case auth fails for whatever reason.
    871 	 */
    872 	eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
    873 	eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s,
    874 			       NULL);
    875 }
    876 
    877 
    878 void sme_deinit(struct wpa_supplicant *wpa_s)
    879 {
    880 	os_free(wpa_s->sme.ft_ies);
    881 	wpa_s->sme.ft_ies = NULL;
    882 	wpa_s->sme.ft_ies_len = 0;
    883 #ifdef CONFIG_IEEE80211W
    884 	sme_stop_sa_query(wpa_s);
    885 #endif /* CONFIG_IEEE80211W */
    886 #ifdef CONFIG_SAE
    887 	wpabuf_free(wpa_s->sme.sae_token);
    888 	wpa_s->sme.sae_token = NULL;
    889 	sae_clear_data(&wpa_s->sme.sae);
    890 #endif /* CONFIG_SAE */
    891 
    892 	eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
    893 	eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
    894 	eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL);
    895 }
    896 
    897 
    898 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s,
    899 				   const u8 *chan_list, u8 num_channels,
    900 				   u8 num_intol)
    901 {
    902 	struct ieee80211_2040_bss_coex_ie *bc_ie;
    903 	struct ieee80211_2040_intol_chan_report *ic_report;
    904 	struct wpabuf *buf;
    905 
    906 	wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR,
    907 		   MAC2STR(wpa_s->bssid));
    908 
    909 	buf = wpabuf_alloc(2 + /* action.category + action_code */
    910 			   sizeof(struct ieee80211_2040_bss_coex_ie) +
    911 			   sizeof(struct ieee80211_2040_intol_chan_report) +
    912 			   num_channels);
    913 	if (buf == NULL)
    914 		return;
    915 
    916 	wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC);
    917 	wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX);
    918 
    919 	bc_ie = wpabuf_put(buf, sizeof(*bc_ie));
    920 	bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE;
    921 	bc_ie->length = 1;
    922 	if (num_intol)
    923 		bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ;
    924 
    925 	if (num_channels > 0) {
    926 		ic_report = wpabuf_put(buf, sizeof(*ic_report));
    927 		ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT;
    928 		ic_report->length = num_channels + 1;
    929 		ic_report->op_class = 0;
    930 		os_memcpy(wpabuf_put(buf, num_channels), chan_list,
    931 			  num_channels);
    932 	}
    933 
    934 	if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
    935 				wpa_s->own_addr, wpa_s->bssid,
    936 				wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
    937 		wpa_msg(wpa_s, MSG_INFO,
    938 			"SME: Failed to send 20/40 BSS Coexistence frame");
    939 	}
    940 
    941 	wpabuf_free(buf);
    942 }
    943 
    944 
    945 /**
    946  * enum wpas_band - Frequency band
    947  * @WPAS_BAND_2GHZ: 2.4 GHz ISM band
    948  * @WPAS_BAND_5GHZ: around 5 GHz band (4.9 - 5.7 GHz)
    949  */
    950 enum wpas_band {
    951 	WPAS_BAND_2GHZ,
    952 	WPAS_BAND_5GHZ,
    953 	WPAS_BAND_INVALID
    954 };
    955 
    956 /**
    957  * freq_to_channel - Convert frequency into channel info
    958  * @channel: Buffer for returning channel number
    959  * Returns: Band (2 or 5 GHz)
    960  */
    961 static enum wpas_band freq_to_channel(int freq, u8 *channel)
    962 {
    963 	enum wpas_band band = (freq <= 2484) ? WPAS_BAND_2GHZ : WPAS_BAND_5GHZ;
    964 	u8 chan = 0;
    965 
    966 	if (freq >= 2412 && freq <= 2472)
    967 		chan = (freq - 2407) / 5;
    968 	else if (freq == 2484)
    969 		chan = 14;
    970 	else if (freq >= 5180 && freq <= 5805)
    971 		chan = (freq - 5000) / 5;
    972 
    973 	*channel = chan;
    974 	return band;
    975 }
    976 
    977 
    978 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s)
    979 {
    980 	struct wpa_bss *bss;
    981 	const u8 *ie;
    982 	u16 ht_cap;
    983 	u8 chan_list[P2P_MAX_CHANNELS], channel;
    984 	u8 num_channels = 0, num_intol = 0, i;
    985 
    986 	if (!wpa_s->sme.sched_obss_scan)
    987 		return 0;
    988 
    989 	wpa_s->sme.sched_obss_scan = 0;
    990 	if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED)
    991 		return 1;
    992 
    993 	/*
    994 	 * Check whether AP uses regulatory triplet or channel triplet in
    995 	 * country info. Right now the operating class of the BSS channel
    996 	 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12),
    997 	 * based on the assumption that operating class triplet is not used in
    998 	 * beacon frame. If the First Channel Number/Operating Extension
    999 	 * Identifier octet has a positive integer value of 201 or greater,
   1000 	 * then its operating class triplet.
   1001 	 *
   1002 	 * TODO: If Supported Operating Classes element is present in beacon
   1003 	 * frame, have to lookup operating class in Annex E and fill them in
   1004 	 * 2040 coex frame.
   1005 	 */
   1006 	ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY);
   1007 	if (ie && (ie[1] >= 6) && (ie[5] >= 201))
   1008 		return 1;
   1009 
   1010 	os_memset(chan_list, 0, sizeof(chan_list));
   1011 
   1012 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
   1013 		/* Skip other band bss */
   1014 		if (freq_to_channel(bss->freq, &channel) != WPAS_BAND_2GHZ)
   1015 			continue;
   1016 
   1017 		ie = wpa_bss_get_ie(bss, WLAN_EID_HT_CAP);
   1018 		ht_cap = (ie && (ie[1] == 26)) ? WPA_GET_LE16(ie + 2) : 0;
   1019 
   1020 		if (!ht_cap || (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)) {
   1021 			/* Check whether the channel is already considered */
   1022 			for (i = 0; i < num_channels; i++) {
   1023 				if (channel == chan_list[i])
   1024 					break;
   1025 			}
   1026 			if (i != num_channels)
   1027 				continue;
   1028 
   1029 			if (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)
   1030 				num_intol++;
   1031 
   1032 			chan_list[num_channels++] = channel;
   1033 		}
   1034 	}
   1035 
   1036 	sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol);
   1037 	return 1;
   1038 }
   1039 
   1040 
   1041 static struct hostapd_hw_modes * get_mode(struct hostapd_hw_modes *modes,
   1042 					  u16 num_modes,
   1043 					  enum hostapd_hw_mode mode)
   1044 {
   1045 	u16 i;
   1046 
   1047 	for (i = 0; i < num_modes; i++) {
   1048 		if (modes[i].mode == mode)
   1049 			return &modes[i];
   1050 	}
   1051 
   1052 	return NULL;
   1053 }
   1054 
   1055 
   1056 static void wpa_setband_scan_freqs_list(struct wpa_supplicant *wpa_s,
   1057 					enum hostapd_hw_mode band,
   1058 					struct wpa_driver_scan_params *params)
   1059 {
   1060 	/* Include only supported channels for the specified band */
   1061 	struct hostapd_hw_modes *mode;
   1062 	int count, i;
   1063 
   1064 	mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes, band);
   1065 	if (mode == NULL) {
   1066 		/* No channels supported in this band - use empty list */
   1067 		params->freqs = os_zalloc(sizeof(int));
   1068 		return;
   1069 	}
   1070 
   1071 	params->freqs = os_calloc(mode->num_channels + 1, sizeof(int));
   1072 	if (params->freqs == NULL)
   1073 		return;
   1074 	for (count = 0, i = 0; i < mode->num_channels; i++) {
   1075 		if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED)
   1076 			continue;
   1077 		params->freqs[count++] = mode->channels[i].freq;
   1078 	}
   1079 }
   1080 
   1081 
   1082 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx)
   1083 {
   1084 	struct wpa_supplicant *wpa_s = eloop_ctx;
   1085 	struct wpa_driver_scan_params params;
   1086 
   1087 	if (!wpa_s->current_bss) {
   1088 		wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request");
   1089 		return;
   1090 	}
   1091 
   1092 	os_memset(&params, 0, sizeof(params));
   1093 	wpa_setband_scan_freqs_list(wpa_s, HOSTAPD_MODE_IEEE80211G, &params);
   1094 	wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan");
   1095 
   1096 	if (wpa_supplicant_trigger_scan(wpa_s, &params))
   1097 		wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan");
   1098 	else
   1099 		wpa_s->sme.sched_obss_scan = 1;
   1100 	os_free(params.freqs);
   1101 
   1102 	eloop_register_timeout(wpa_s->sme.obss_scan_int, 0,
   1103 			       sme_obss_scan_timeout, wpa_s, NULL);
   1104 }
   1105 
   1106 
   1107 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable)
   1108 {
   1109 	const u8 *ie;
   1110 	struct wpa_bss *bss = wpa_s->current_bss;
   1111 	struct wpa_ssid *ssid = wpa_s->current_ssid;
   1112 	struct hostapd_hw_modes *hw_mode = NULL;
   1113 	int i;
   1114 
   1115 	eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL);
   1116 	wpa_s->sme.sched_obss_scan = 0;
   1117 	if (!enable)
   1118 		return;
   1119 
   1120 	/*
   1121 	 * Schedule OBSS scan if driver is using station SME in wpa_supplicant
   1122 	 * or it expects OBSS scan to be performed by wpa_supplicant.
   1123 	 */
   1124 	if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) ||
   1125 	      (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) ||
   1126 	    ssid == NULL || ssid->mode != IEEE80211_MODE_INFRA)
   1127 		return;
   1128 
   1129 	if (!wpa_s->hw.modes)
   1130 		return;
   1131 
   1132 	/* only HT caps in 11g mode are relevant */
   1133 	for (i = 0; i < wpa_s->hw.num_modes; i++) {
   1134 		hw_mode = &wpa_s->hw.modes[i];
   1135 		if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G)
   1136 			break;
   1137 	}
   1138 
   1139 	/* Driver does not support HT40 for 11g or doesn't have 11g. */
   1140 	if (i == wpa_s->hw.num_modes || !hw_mode ||
   1141 	    !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
   1142 		return;
   1143 
   1144 	if (bss == NULL || bss->freq < 2400 || bss->freq > 2500)
   1145 		return; /* Not associated on 2.4 GHz band */
   1146 
   1147 	/* Check whether AP supports HT40 */
   1148 	ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP);
   1149 	if (!ie || ie[1] < 2 ||
   1150 	    !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
   1151 		return; /* AP does not support HT40 */
   1152 
   1153 	ie = wpa_bss_get_ie(wpa_s->current_bss,
   1154 			    WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS);
   1155 	if (!ie || ie[1] < 14)
   1156 		return; /* AP does not request OBSS scans */
   1157 
   1158 	wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6);
   1159 	if (wpa_s->sme.obss_scan_int < 10) {
   1160 		wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u "
   1161 			   "replaced with the minimum 10 sec",
   1162 			   wpa_s->sme.obss_scan_int);
   1163 		wpa_s->sme.obss_scan_int = 10;
   1164 	}
   1165 	wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec",
   1166 		   wpa_s->sme.obss_scan_int);
   1167 	eloop_register_timeout(wpa_s->sme.obss_scan_int, 0,
   1168 			       sme_obss_scan_timeout, wpa_s, NULL);
   1169 }
   1170 
   1171 
   1172 #ifdef CONFIG_IEEE80211W
   1173 
   1174 static const unsigned int sa_query_max_timeout = 1000;
   1175 static const unsigned int sa_query_retry_timeout = 201;
   1176 
   1177 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s)
   1178 {
   1179 	u32 tu;
   1180 	struct os_time now, passed;
   1181 	os_get_time(&now);
   1182 	os_time_sub(&now, &wpa_s->sme.sa_query_start, &passed);
   1183 	tu = (passed.sec * 1000000 + passed.usec) / 1024;
   1184 	if (sa_query_max_timeout < tu) {
   1185 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out");
   1186 		sme_stop_sa_query(wpa_s);
   1187 		wpa_supplicant_deauthenticate(
   1188 			wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID);
   1189 		return 1;
   1190 	}
   1191 
   1192 	return 0;
   1193 }
   1194 
   1195 
   1196 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s,
   1197 				  const u8 *trans_id)
   1198 {
   1199 	u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN];
   1200 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to "
   1201 		MACSTR, MAC2STR(wpa_s->bssid));
   1202 	wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID",
   1203 		    trans_id, WLAN_SA_QUERY_TR_ID_LEN);
   1204 	req[0] = WLAN_ACTION_SA_QUERY;
   1205 	req[1] = WLAN_SA_QUERY_REQUEST;
   1206 	os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN);
   1207 	if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
   1208 				wpa_s->own_addr, wpa_s->bssid,
   1209 				req, sizeof(req), 0) < 0)
   1210 		wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query "
   1211 			"Request");
   1212 }
   1213 
   1214 
   1215 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx)
   1216 {
   1217 	struct wpa_supplicant *wpa_s = eloop_ctx;
   1218 	unsigned int timeout, sec, usec;
   1219 	u8 *trans_id, *nbuf;
   1220 
   1221 	if (wpa_s->sme.sa_query_count > 0 &&
   1222 	    sme_check_sa_query_timeout(wpa_s))
   1223 		return;
   1224 
   1225 	nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id,
   1226 				wpa_s->sme.sa_query_count + 1,
   1227 				WLAN_SA_QUERY_TR_ID_LEN);
   1228 	if (nbuf == NULL)
   1229 		return;
   1230 	if (wpa_s->sme.sa_query_count == 0) {
   1231 		/* Starting a new SA Query procedure */
   1232 		os_get_time(&wpa_s->sme.sa_query_start);
   1233 	}
   1234 	trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN;
   1235 	wpa_s->sme.sa_query_trans_id = nbuf;
   1236 	wpa_s->sme.sa_query_count++;
   1237 
   1238 	os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN);
   1239 
   1240 	timeout = sa_query_retry_timeout;
   1241 	sec = ((timeout / 1000) * 1024) / 1000;
   1242 	usec = (timeout % 1000) * 1024;
   1243 	eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL);
   1244 
   1245 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d",
   1246 		wpa_s->sme.sa_query_count);
   1247 
   1248 	sme_send_sa_query_req(wpa_s, trans_id);
   1249 }
   1250 
   1251 
   1252 static void sme_start_sa_query(struct wpa_supplicant *wpa_s)
   1253 {
   1254 	sme_sa_query_timer(wpa_s, NULL);
   1255 }
   1256 
   1257 
   1258 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s)
   1259 {
   1260 	eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL);
   1261 	os_free(wpa_s->sme.sa_query_trans_id);
   1262 	wpa_s->sme.sa_query_trans_id = NULL;
   1263 	wpa_s->sme.sa_query_count = 0;
   1264 }
   1265 
   1266 
   1267 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa,
   1268 				 const u8 *da, u16 reason_code)
   1269 {
   1270 	struct wpa_ssid *ssid;
   1271 
   1272 	if (wpa_s->wpa_state != WPA_COMPLETED)
   1273 		return;
   1274 	ssid = wpa_s->current_ssid;
   1275 	if (ssid == NULL ||
   1276 	    (ssid->ieee80211w == MGMT_FRAME_PROTECTION_DEFAULT ?
   1277 	     wpa_s->conf->pmf : ssid->ieee80211w) == NO_MGMT_FRAME_PROTECTION)
   1278 		return;
   1279 	if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0)
   1280 		return;
   1281 	if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA &&
   1282 	    reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA)
   1283 		return;
   1284 	if (wpa_s->sme.sa_query_count > 0)
   1285 		return;
   1286 
   1287 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - "
   1288 		"possible AP/STA state mismatch - trigger SA Query");
   1289 	sme_start_sa_query(wpa_s);
   1290 }
   1291 
   1292 
   1293 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa,
   1294 		     const u8 *data, size_t len)
   1295 {
   1296 	int i;
   1297 
   1298 	if (wpa_s->sme.sa_query_trans_id == NULL ||
   1299 	    len < 1 + WLAN_SA_QUERY_TR_ID_LEN ||
   1300 	    data[0] != WLAN_SA_QUERY_RESPONSE)
   1301 		return;
   1302 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from "
   1303 		MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);
   1304 
   1305 	if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0)
   1306 		return;
   1307 
   1308 	for (i = 0; i < wpa_s->sme.sa_query_count; i++) {
   1309 		if (os_memcmp(wpa_s->sme.sa_query_trans_id +
   1310 			      i * WLAN_SA_QUERY_TR_ID_LEN,
   1311 			      data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0)
   1312 			break;
   1313 	}
   1314 
   1315 	if (i >= wpa_s->sme.sa_query_count) {
   1316 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query "
   1317 			"transaction identifier found");
   1318 		return;
   1319 	}
   1320 
   1321 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received "
   1322 		"from " MACSTR, MAC2STR(sa));
   1323 	sme_stop_sa_query(wpa_s);
   1324 }
   1325 
   1326 #endif /* CONFIG_IEEE80211W */
   1327